Skip to content
  • Analysts
  • Contact Us
  • Services

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  • Analysts
  • Contact Us
  • Services
Saturday, December 03, 2022
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
adfind cobaltstrike ransomware

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

November 28, 2022

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More

BumbleBee Zeros in on Meterpreter
adfind bumblebee cobaltstrike Meterpreter

BumbleBee Zeros in on Meterpreter

November 14, 2022

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, … Read More

Follina Exploit Leads to Domain Compromise
adfind cobaltstrike Qbot

Follina Exploit Leads to Domain Compromise

October 31, 2022

In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. Qbot, also known … Read More

BumbleBee: Round Two
adfind bumblebee cobaltstrike Meterpreter

BumbleBee: Round Two

September 26, 2022

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More

Dead or Alive? An Emotet Story
adfind cobaltstrike emotet Exfiltrate Data Kerberoast ShareFinder

Dead or Alive? An Emotet Story

September 12, 2022

In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after … Read More

BumbleBee Roasts Its Way to Domain Admin
adfind bumblebee cobaltstrike Kerberoast ShareFinder

BumbleBee Roasts Its Way to Domain Admin

August 8, 2022

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More

SELECT XMRig FROM SQLServer
coinminer exploit

SELECT XMRig FROM SQLServer

July 11, 2022

In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner … Read More

SANS Ransomware Summit 2022, Can You Detect This?
Conference

SANS Ransomware Summit 2022, Can You Detect This?

June 16, 2022

This report is a companion to the SANS Ransomware Summit 2022 “Can You Detect This” presentation today 6/16/22 @ 14:40 UTC (10:40 AM ET). Slides: SANS Ransomware Summit 2022 – … Read More

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
CVE-2021-44077 Exfiltrate Data exploit Plink

Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration

June 6, 2022

In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the … Read More

SEO Poisoning – A Gootloader Story
cobaltstrike gootloader lazagne psexec

SEO Poisoning – A Gootloader Story

May 9, 2022

In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense … Read More

Posts navigation

1 2 … 6 Next

Translate

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow us on Twitter

My Tweets

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Proudly powered by WordPress | Theme: FreeNews | By ThemeSpiral.com.